Choreography Conformace Checking based on Process Algebras
Manuel I. Capel
Software Engineering Department, University of Granada, 18071 Granada, Spain
Keywords:
Business Process Models, Choreography, BPMN 2.0, Transformation Sules Set.
Abstract:
Business Process Modelling (BPM) is a conceptual activity for representing processes of an enterprise. A busi-
ness process can be understood as a set of related, structured, interacting activities driven by a choreography
that is capable of giving complex services to customers. The ways in which a choreography can be specified
in order to check if the behaviour described is conformant with the peer–based interactions of a distributed
target system, and thus to prove safety properties, should be correctly defined by identifying the appropriate
processes. Hence, choreographies becomes now of great use to analyze and improve any modern company’s
business.
1 INTRODUCTION
This work is mainly intended to propose a formal se-
mantics to a set of BPMN modelling constructs, use-
ful to enforce the choreography to be realizable; and
then, it introduces an easy approach to the verification
of business processes that may use model–checking
techniques. Several authors have made progress in
solving the problem of BPMN validation. The re-
search work up until now can be divided into two
categories, the first one focuses on business process
model analysis, whereas the second centres on obtain-
ing a formal semantics of BPMN modelling entities.
The main approaches of work in the first area can be
found in (Aalst, 2009). In this second group, the cen-
tral problem to tackle consists of proving the sound-
ness of BPMN model transformation. In many cases,
a model cannot be verified because its representation
in a executable environment does not show the same
behaviour
1
as observed in the original model.
The lack of verification exhibited by the afore-
mentioned approaches, in our opinion, it is mainly
due to semantic and syntactic problems caused by
the incorrect integration of (1) business properties for-
malization and (2) the corresponding task model.
Taking steps towards the verifiability of BPMN is
that we placed both, the executable task model and
the BPMN conceptual model, in the same seman-
tic domain. We therefore propose here, (a) a set of
transformation rules from a subset of temporal anal-
ysis constructs of BPMN into Communicating Se-
1
e.g.,it reacts differently to external events
quential Processes + Time (CSP+T) calculus, (b) an
easy verification approach for tasks models designed
with BPMN. Differently to other authors (Rozinat and
Aalst, 2006; Dongen and Aalst, 2004), our method
intends to merge the verification process of BP prop-
erties with the design of the task model. In this way
we take full advantage of the strengths that a formal-
ization of behavioural and temporal aspects of BPMN
models can provide to the analysis, both at design and
run-time.
2 BPMN CHOREOGRAPHIES
FORMALIZATION
BPMN is a standard for the semi–formal specification
of task workflows in business BP models and to de-
scribe the collaboration between services. BPMN has
been extended to BPMN 2.0 to support the collabo-
ration between analysis entities in BP models, which
brings forward a choreographic model based on peer
interactions (Qiu, 2007), instead of followinga design
model based on services orchestration (Peltz, 2003).
BPMN 2.0 promotes a collaborative and abstract
description of software systems that allows for focus-
Choreog.
task name
A
B
A
B
A
B
A
B
Figure 1: Choreography diagrams.
135
I. Capel M..
Choreography Conformace Checking based on Process Algebras.
DOI: 10.5220/0004379001350139
In Proceedings of the 3rd International Conference on Cloud Computing and Services Science (CLOSER-2013), pages 135-139
ISBN: 978-989-8565-52-5
Copyright
c
2013 SCITEPRESS (Science and Technology Publications, Lda.)
ing more on what services do in a composition than
on how they do it. As consequence, interactions be-
tween system’s components or peers should be more
precisely described than in “interconnected interface
models”, within which the interactions are defined in-
ternally to each peer and the description of interfaces
between system components becomes of paramount
importance. On the other hand, “interaction–based
models” consider the “conversations” between peers
as the basic building blocks of any system design,
whereas the specification of interfaces then becomes
secondary to the system’s properties analysis.
Figure 2: Example of a BPMN diagram.
BPMN 2.0 advocates for the Service Choreogra-
phy Description Language (WS–CDL), which better
fulfills the requirements of choreography specifica-
tions due to their global perspective of the system.
BPMN 2.0 Choreography Diagrams describe one–
way and two–way interactions between peers. In Fig-
ure 1, the peers A and B represented by the upper and
lower bands, respectively, in the participants tasks ex-
change messages. In the second task, there is a two
way interaction: peer A receives a message and peer
B sends a return message.
2.1 Example
Consider, for instance, the simple example of an Hos-
pital Pharmacy logistic process shown in Figure 2.
The BPD depicts the message flows between two par-
ticipants, the Ward and the Pharmacy, which are in-
dependent BP and may have been constructed sepa-
rately. Clearly, the synchronization between both par-
ticipants is a necessary behavioural property for suc-
cessful collaboration.
For example, from the pharmacy participant’s
perspective, drugs delivering should be guaran-
teed by sending a message to the ward partici-
pant prior a purchase order would be made or
sent; while from the ward participant’s perspec-
tive, by sending a message to the pharmacy partic-
ipant with enough time in advance to have the re-
quired drugs to begin medical treatment. The spec-
ification in Figure 3 shows the interaction between
the peers(customer, ward, pharmacy, db) translated
from the business process Hospital Pharmacy diagram
in Figure 2, which represent the behaviour of tasks
within the pools Ward and Pharmacy. In this spec-
ification, we can see that first the customer interacts
with the
ward
(
connect
), then sends the prescription
to the
pharmacy
(
request
) and eventually receives
a response if the drug is available. On the contrary,
the
pharmacy
makes a order (
purchase order
) and
when the drug is available, it delivers the drug to
the
ward
(
receives
). In this last case, the pre-
scription will be prepared and given to the customer
(
delivered
), which terminates the complete proto-
col.
Search
drug
Customer
Send internal
order
Ward
Ward
Pharmacy
request
Ward
Pharmacy
DB
Pharmacy
Ward
Customer
Prepare
drug
Ward
Pharmacy
Ward
Pharmacy
Search
drug
Prepare
order
Deliver
drug
Make purch.
order
received
purchase
order
placed
delivered
connect
Figure 3: BPMN 2.9 Choreography Diagram–Ward-
Pharmacy Example.
2.2 CSP+T
CSP+T (Zic, 1994) is a real–time specification lan-
guage which extends Communicating Sequential Pro-
cesses (CSP) allowing the description of complex
event timings, within a single sequential process, for
use in the behavioural specification of any critical
communicating process. A CSP+T process term P is
defined as a tuple (αP, P), where αP = Comm act(P)
Interface(P) is the communication alphabet of P.
CSP+T is a superset of CSP, the latter being
changed by the fact that traces of events become pairs
denoted as t.a, where t is the time at which event a is
observed.
The event enabling interval I(T, t
a
) = {t T |
rel(t
a
, v) t rel(t
a
+ T, v)} indicates the time span
where any event is accepted. rel(x, v) = x+ v t
0
, t
0
corresponds to the preceding instantiation event (),
occurred at some absolute time t
0
, and x is the value
held in the marker variable v at that time. The time
interval expression can be simplified to I(T, t
a
) =
[t
a
, t
a
+ T] if the instantiation event, after which the
event a can occur, corresponds to the origin (t
0
= 0)
of the rt-clock.
CLOSER2013-3rdInternationalConferenceonCloudComputingandServicesScience
136
3 REIFICATION OF
CHOREOGRAPHIES
Any choreography can be considered as realizable
if all the interactions that we have specified in the
BPMN 2.0 diagram are equivalent to those that can be
executed by the interacting peers when we implement
the model in a service–description language, such as
WS-CDL.
BPMN choreographies are transformed into
CSP+T process calculus by following the state-
machine behavioural pattern. Each analysis entity of
BPMN is encoded as a CSP+T syntactical–process
term that represents the machine’s state, thereby
translating the BPMN construct plus a call to the pro-
cess that represents the successor state.
connect
search
drug
send
internal
order
prepare
order
purchase
order
found
delivered
prepare
drug
Figure 4: LTS model of the Ward–Pharmacy Example.
The LTS model reifies the choreography and allows
the verifier to check its realizability w.r.t. the model
of the system composed of interacting peers. If these
two models are behaviorally equivalent, it means that
the peer generation exactly satisfies the BPMN com-
munication requirements. On the contrary, the peers
do not generate the same interactions as the ones spec-
ified in the choreography,and thus we can say that this
choreography reification is unrealizable.
The transformation of CSP+T process terms into
a LTS model sets the ground for performing be-
havioural verification of constituent components of a
system specified in CSP+T by using the FDR2 MC
tool (Formal Systems Europe, 2005). FDR2 checks
the behavioural equivalence of two models written as
CSP process terms through a refinement relationship
between syntactical process terms (Mendoza, 2011).
3.1 Behavioural Equivalence
Taking steps towards the verifiability of BPMN chore-
ographies is that we placed both, the choreography
reification and the interacting peers model, in the
same semantic domain, that of CSP+T process cal-
culus. We therefore propose here, (a) a set of trans-
formation rules from a subset of analysis constructs
of BPMN into Communicating Sequential Processes
+ Time (CSP+T) calculus, (b) an easy verification
approach for choreography models designed with
BPMN. Differently to other authors (Dongen and
Aalst, 2004; Rozinat and Aalst, 2006), our method
intends to merge the verification process of BP prop-
erties with the design of the BPMN 2.0 model. In this
way we take full advantage of the strengths that a for-
malization of behavioural aspects of BPMN models
can provide to the analysis, both at design and run–
time.
Thus, our method to check the realizability of a
given choreography reification consists of the follow-
ing integrated steps according to MC technique and
the automata theory,
1. We generate the choreographyreification as a LTS
derived from the CSP+T encoding.
2. The peers’ behaviour are extracted from of the ini-
tial BPMN–CD by the application of a proposed
transformation rules set.
3. We build the distributed system model, structured
as the extracted interacting peers.
4. Finally, we automatically and compositionally
(see Theorem 1) verify that the choreography
reification (LTS) and the distributed version of the
system are behaviorally equivalent.
Theorem 1. System Compositional Verification.
Let the choreography reification C be structured
into several components working in parallel, C =
f
i:1..n
C
i
. For a set of LTS(C
i
) describing the be-
haviour of components C
i
, properties φ
i
, invariants
ψ
i
, and deadlock δ, with
T
i:1..n
Σ
i
=
/
0,
T
i:1..n
i
=
/
0, and
T
i:1..n
L (TBA(C
i
)) =
/
0, the following condi-
tion holds:
LTS(C) (φψ¬δ)
n
i:1..n
LTS(C
i
)
^
i:1..n
(φ
i
ψ
i
) ¬δ,
(1)
where LTS(C) = k
i:1..n
LTS(C
i
).
The practical application of relation (1) includes
performing an inductive ‘satisfaction checking’ pro-
cess on the range of the components number (i :
1, . . . , n) of the system of peers to be checked .
3.2 BPMN to CSP+T Transformation
We need the semantic precision given by a formal lan-
guage to the basic analysis entities in order to be able
to correctly describe fully executable CDs, such as
the one shown in Figure 1. BPMN 2.0 defines ad-
vanced constructs, such as different types of OR deci-
sion gateways, multiple instances of tasks and subpro-
cesses, which may be transformed into CSP+T pro-
cess terms, preserving the interaction behaviour be-
tween the participant tasks.
ChoreographyConformaceCheckingbasedonProcessAlgebras
137
Figure 5: BPMN Elements Extended Graphical Represen-
tation.
3.3 BPMN Temporal Extension
In many models of choreographies, constraints on
time and resources appear that may cause the vio-
lation of the system’s safety properties. It becomes
therefore necessary to extend the formal notation with
new modelling entities that address temporal and re-
source constraints (Figure 5). We opted to extend the
activitysymbol with maximum and minimum time in-
stants, within which any task or subprocess execution
must be performed.
4 CHOREOGRAPHY MODEL
CHECKING
As an application of the formal semantics proposed
in section 3.2 for BPMN 2.0 analysis entities, we
opted to estudy the Ward–Pharmacy example, whose
BPMN-CD (Figure 3) shows a certain interaction be-
tween the participant peers. For each participant in
the BPMN-CD, we specified a parallel composition
of parallel CSP+T processes, thereby we can define a
bijection between processes and diagram states. The
proposed formal specification abstracts the internal
interaction between the individual peer states.
[a,b-7]
connect
[a+1,b-6]
search
drug
[a+2,b-5]
send
internal
order
[a+3,b-4]
prepare
order
[a+6,b-1]
delivered
[a+2,b-5]
prepare
drug
[a+4,b-3]
make
purchase
order
[a+5,b-2]
timeout
[a+7,b]
prepare
drug
[a+5,b-2]
found
[a+3,b-4]
end.1
[a+8,b+1]
end.2
Figure 6: Timed LTS model of the Ward-Pharmacy.
4.1 Verification
The reification of the choreography is realizable if the
set of interactions specified by the above process term
T(LTS) and those executed by the interacting peers in
the target distributed system, specified by the process
P
BPMN
= Customerk Wardkbpmn kDB are the same.
Thus, according to traces and failures semantics of
CSP, it must be ascertained that the following refining
assertion is true,
T(LTS)
F
P
BPMN
(2)
However, the FDR2 returned false since the
trace < connect, search drug, send order,
prepare order, deliver, prepare drug > appears
in both models, but the trace < connect, search
drug, send order, prepare order, deliver,
prepare drug, purchaseorder, abort > is
present in the peers–based distributed system and not
in the LTS of the choreography.
The solution to this error in the LTS model is to
make explicit an extra state in which the LTS is wait-
ing for completing the purchase of the drug and add
a timeout to this state If that time period expires then
the LTS will reach an
abort
state signifying that the
purchase is cancelled, since probably the distributor’s
stock has been exhausted. The new LTS can be seen
in Figure 6.
5 CONCLUSIONS
To check the behavioural equivalence between an
LTS, which specifies the possible behaviour of a
highly interactivesystem, against the actual behaviour
of a peer–based distributed applicationis is a very
complex activity. We have solved that problem by
transformation of the LTS and the peer–system model
into a proces calculus named CSP+T. In this way, we
can analyze and automatically verify the conformance
of the defined choreography for services that commu-
nicate through messages in a general, distributed, and
highly parallel system.
REFERENCES
Aalst, W. (2009). Challenges in business process analy-
sis. in: Enterprise information systems. In Lecture
Notes in Business Information Processing, v. 12:27–
42. Springer–Verlag.
Dongen, B. and Aalst, W. (2004). Multi–phase process min-
ing: Building instance graphs. Springer-Verlag, Hei-
delberg(D), lecture notes in computer science, v. 3288
edition.
Formal Systems Europe, L. (2005). Failures–Divergence
Refinement FDR2 User Manual. Formal Systems
Europe Ltd., Oxford(UK).
CLOSER2013-3rdInternationalConferenceonCloudComputingandServicesScience
138
Mendoza, L. (2011). Una Contribuci´on a las T´ecnicas
Avanzadas de Verificaci´on de Procesos de Negocio
(In Spanish). PhD Dissertation book. University of
Granada (ISBN:978-980-12-4957-3).
Mendoza, L., Capel, M. I., and P´erez, M. (2012). Concep-
tual framework for business processes compositional
verifications. Information and Software Technology,
54(2):149:161.
Peltz, C. (2003). Web services orchestration and choreog-
raphy. IEEE Computer, 36(10):46–52.
Qiu, Z. e. a. (2007). Towards the theoretical foundation of
choreography. Proceedings of the 16th international
conference on World Wide Web (WWW’07), pages
973–982.
Rozinat, A. and Aalst, W. (2006). Springer-Verlag.
Schneider, S. (2000). Concurrent and Real–Time Systems –
The CSP Approach. John Wiley & Sons, Ltd.
Zic, J. (1994). Time–constrained buffer specifica-
tions in CSP+T and Timed CSP. ACM TOPLAS,
16(6):1661:1674.
ChoreographyConformaceCheckingbasedonProcessAlgebras
139